With a year already full of cyber attacks from DDoS to HijackRAT to Emmenta—and it’s only August—it shouldn’t be too surprising that regulators and other government agencies are trying to step up their cyber defense game. Enter beefed up cybersecurity risk assessments and the Cybersecurity Information Sharing Act (CISA). And surprise! Both strategies involve your institution.
Cybersecurity Risk Assessment
This year the Federal Financial Institutions Examination Council announced the addition of a cybersecurity risk assessment to regular IT examinations. On one hand, these assessments shouldn’t pose too great of a burden to your institution, because they evaluate things you likely are doing already—or should be. And if you’re not, this risk assessment isn’t your biggest worry.
On the other hand, many institutions are displeased with the addition of yet another risk assessment. These institutions already feel weighed down enough with the increasingly burdensome regulations that have come about since Dodd-Frank.
No matter which camp you’re in, you need to know what the FFIEC is expecting. These cyber security assessments will begin during exams later in 2014, so it would be prudent for financial institutions to begin preparing now. Luckily, FFIEC representatives broke their expectations down into four areas in a presentation given to over 5,000 CEOs the day after the announcement. (See the video below for more information.)
What you can gather from this increasing regulatory focus on cybersecurity is that it isn’t just an IT issue anymore. Data breaches affect every department, from customer service and marketing to accounting. For this reason, the focus is now top-down, with C-level executives being asked to get involved with data security.
CISA
The Cybersecurity Information Sharing Act is a proposed bill being advocated by US Treasury Secretary Jack Lew that will, in summary, encourage information sharing between businesses and government entities. This is accomplished by giving legal protection to businesses that disclose information about potential cyber threats to authorities in order to help prevent industry losses. By removing barriers to information sharing, the bill would hopefully encourage financial institutions to share information amongst each other and eventually reduce the number of, shall we say, “Target incidents.” Information sharing is crucial to avoiding individual and national data security compromise.
Although this act would require companies to remove personally identifiable information, it is causing more than a quiet objection on the part of privacy advocates. Two senators (Ron Wyden, D-Oregon, and Mark Udall, D-Colorado) sum up the misgivings thusly: “[W]e have seen how the federal government has exploited loopholes to collect Americans’ private information in the name of security…We are concerned that the bill the U.S. Senate Select Committee on Intelligence reported today lacks adequate protections for the privacy rights of law-abiding Americans, and that it will not materially improve cybersecurity.”
However, many trade groups have joined together to support CISA, as evidenced by a letter released July 31, 2014 signed by 12 different groups, including NAFCU, CUNA, and ABA.
With cyber criminals constantly shifting their strategies for exploiting any gaps in the nation’s financial system, these two measures are unlikely to spell the end of the government’s efforts to address cyber security.
For more information on how your institution can efficiently manage its cyber security programs, we invite you to contact Alberto Gamez at alberto.gamez@affirmx.com or by calling 888-972-3624.
